允许kubernetes应用程序访问其他AWS资源吗? [英] Allow kubernetes application to access other AWS resources?
问题描述
我想使用kubernetes在AWS EKS中部署应用程序.我的应用程序需要访问SQS和AWS S3.我不确定如何允许kubernetes应用程序访问SQS和S3.我调查了RBAC,但我猜想RBAC仅提供管理集群,名称空间或Pod的权限.
I want to deploy an application in AWS EKS using kubernetes. My application needs to access the SQS and AWS S3. I am not sure how to allow the kubernetes application to access the SQS and S3. I looked into RBAC but I guess RBAC only provides access to manage the cluster, namespace or pods.
我试图将访问密钥和秘密密钥作为秘密传递给环境变量并允许权限.但是我认为这不是一个好主意.
I am trying to pass the access key and secret key as the secrets to the environment variable and allow the permission. But I think this is not a good idea.
是否还有其他方法,例如创建IAM角色并将该角色传递给运行应用程序的Pod? 如果我尝试在worker节点角色中提供许可,则共享该节点的所有pod都将获得该许可.我需要像特定的容器或容器这样的东西才能获得许可
Is there any other way like creating the IAM role and passing the role to the pods running the application? If I try to provide the permission in the worker node role then all the pods sharing the node will get that permission. I need something like the specific pod or container will get the permission
我还尝试创建RBAC,在该RBAC中将角色分配给该组,然后将该组绑定到名称空间.
I also tried to create the RBAC in which a role is assigned to the group and the group is bind to the namespace.
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: default
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxx:role/EksWorkers-NodeInstanceRole-xxxxx
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::xxxxxxxxx:role/iam-role-for-application
groups:
- app-group
和
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admins
namespace: default
subjects:
- kind: Group
name: app-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
推荐答案
aws-auth
configMap用于将用户/角色映射到集群.
aws-auth
configMap is used to map users/roles to the cluster.
更新:这是您本机可以完成的操作
Update: Here is how you can do it natively
https://aws. amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/ https://docs. aws.amazon.com/en_pv/eks/latest/userguide/iam-roles-for-service-accounts.html
要为Pod赋予IAM角色,您可以使用以下工具之一
For giving an IAM role to pods you can use one of the below tools
https://github.com/jtblin/kube2iam
https://github.com/uswitch/kiam
亚马逊团队正在努力将其本地化
Amazon team is working on to bring this natively
https://github.com/aws/containers-roadmap /projects/1?card_filter_query = iam https://github.com/aws/containers-roadmap/issues/23
这篇关于允许kubernetes应用程序访问其他AWS资源吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!